Redazione RHC : 21 November 2025 10:23
ThreatFabric specialists have discovered a new banking Trojan, Sturnus . The malware is capable of intercepting messages from end-to-end encrypted messaging apps (Signal, WhatsApp, Telegram) and gaining full control over devices via VNC.
Researchers report that Sturnus uses an advanced communication scheme with command and control servers: a combination of cleartext, RSA, and AES encryption.
Once installed, the malware connects to the command and control server, logs in the victim, and creates two communication channels: encrypted HTTPS for commands and data exfiltration and an AES-encrypted WebSocket for real-time VNC operations.
A Sturnus infection typically begins with the download of a malicious APK disguised as Google Chrome (com.klivkfbky.izaybebnx) or Preemix Box (com.uvxuthoq.noscjahae). The exact distribution method is still unknown, but researchers suspect attackers use malicious advertisements or private messages in messaging apps.
The Trojan intercepts messages in instant messaging apps not during transmission, but after decryption. Essentially, the malware simply reads the content directly from the infected device’s screen. To do this, Sturnus exploits the Accessibility service , gaining access to everything displayed on the screen: contacts, chats, incoming and outgoing messages.
“This allows for a complete bypass of end-to-end encryption, allowing access to messages after they have been decrypted by a legitimate app, giving attackers direct access to supposedly private conversations,” the researchers note.
In addition to reading messages, Sturnus requires administrator privileges on Android, allowing it to monitor password changes, remotely lock the device, and circumvent removal. Unless administrator privileges are manually revoked, uninstallation and removal via ADB will be blocked.
Using VNC, attackers can simulate keystrokes, text entry, scrolling, and navigation. At the right time, they can activate a black overlay and perform hidden actions: transfer money from banking apps, confirm conversations, approve multi-factor authentication, change settings, or install additional apps.
Sturnus primarily targets accounts at European financial institutions, using regional overlay patterns. Currently, the bank is reportedly targeting users primarily in Southern and Central Europe. Because the scope of the attacks is still limited, researchers believe the hackers are testing their capabilities before launching larger campaigns.
Redazione